Health care organizations of all sizes need to clearly identify all users and maintain audit trails that monitor each user’s access to data, applications, systems, and endpoints. Just as you may use a name badge to identify yourself in the physical work environment, cybersecurity access management practices can help ensure that users are properly identified in the digital environment, as well.
Sub-Practices for Small Organizations
User accounts enable organizations to control and monitor each user’s access to and activities on devices, EHRs, e-mail, and other third-party software systems. It is essential to protect user accounts to mitigate the risk of cyber threats. Your IT specialist should implement the security controls in Table 5 to manage user access of data, applications, and devices.
3.S.A | Basic Access Management | NIST FRAMEWORK REF: PR.AT PR.AC-1, PR.AC-6, PR.AC-4, PR.IP-11, PR.IP-1, PR.AC-7 |
Table 5. Security Controls Enabling Organizations to Manage User Access to Data
Security Control | Description |
Establish a unique account for each user | Assign a separate user account to each user in your organization. Train and regularly remind users that they must never share their passwords. Require each user to create an account password that is different from the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook). |
Limit the use of shared or generic accounts | The use of shared or generic accounts should be avoided. If shared accounts are required, train and regularly remind users that they must sign out upon completion of activity or whenever they leave the device, even for a moment. Passwords should be changed after each use. Sharing accounts exposes organizations to greater vulnerabilities. For example, the complexity of updating passwords for multiple users on a shared account may result in a compromised password remaining active and allowing unauthorized access over an extended period of time. |
Tailor access to the needs of each user | Tailor access for each user based on the user’s specific workplace requirements. Most users require access to common systems, such as e-mail and file servers. Implementing tailored access is usually called provisioning. |
Security Control | Description |
Terminate user access as soon as the user leaves the organization | When an employee leaves your organization, ensure that procedures are executed to terminate the employee’s access immediately. Prompt user termination prevents former employees from accessing patient data and other sensitive information after they have left the organization. This is very important for organizations that use cloud-based systems where access is based on credentials, rather than physical presence at a particular computer. Similarly, if an employee changes jobs within the organization, it is important to terminate access related to the employee’s former position before granting access based on the requirements for the new position. |
Provide role-based access | As user accounts are established, the accounts must be granted access to the organization’s computers and programs, as appropriate to each user. Consider following the “minimum necessary” principle associated with the HIPAA Privacy Rule. Allow each user access only to the computers and programs required to accomplish that user’s job or role in the organization. This limits the organization’s exposure to unauthorized access, loss, and theft of data if the user’s identity or access is compromised. |
Configure systems and endpoints with automatic lock and log-off |
Configure systems and endpoints to automatically lock and log off users after a predetermined period of inactivity, such as 15 minutes. |
Implement single sign-on | Implement single sign-on systems that automatically manage access to all software and tools once users have signed onto the network. Such systems allows the organization to centrally maintain and monitor access. |
Implement MFA for the cloud | Implement MFA authentication for the cloud-based systems that your organization uses to store or process sensitive data, such as EHRs. MFA mitigates the risk of access by unauthorized users. |
To monitor compliance with the practices listed in Table 5, implement access management procedures to track and monitor user access to computers and programs. These procedures will ensure the consistent provisioning and control of access throughout your organization. Examples of such standard operating procedures can be found in Appendix G of the Main document.
Threats Mitigated
- Ransomware attack
- Insider, accidental or intentional data loss
- Attacks against connected medical devices that may affect patient safety
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article